A Scenario

Picture this. It’s a slow Tuesday. You’re behind on edits, the coffee’s gone cold, and an email lands that makes you sit up straight.

A gallery. A real-sounding one, with a real-sounding name. They’ve seen your work. They love the series you posted last month — they mention it by name, the exact one. They have a buyer. A serious buyer. They want three pieces for a show, and they need your portfolio and an invoice by Friday to lock it in.

Holy cow. Finally.

You write back fast, because of course you do. They reply within the hour, warm and professional, and send over a “contract” to open and a link to their “collector portal” where you’ll upload your high-resolution files and your banking details for the payout.

And right there, on that slow Tuesday, with your guard down and your hopes up, is the moment the whole thing turns. Not because your computer failed you. Because someone read you like a price tag and told you exactly what you wanted to hear.

That’s social engineering. And it is the single most reliable way the bad guys get past every wall you’ve built.

What It Actually Is: The Tip of Their Spear

You can spend money on antivirus. You can use a password manager, turn on two-factor, keep everything patched. Good. Do all of it. But none of it guards the one door that’s always unlocked: you.

The government’s own cybersecurity agency, CISA, defines social engineering plainly — it’s when an attacker uses ordinary human interaction to talk their way into information or access (CISA, “Avoiding Social Engineering and Phishing Attacks”). No code. No brute force. Just a person being convincing. Phishing — the fake email, the fake login page — is just the most common flavor of it.

Here’s the part that matters for you. Every other kind of attack has to beat your software. Social engineering skips the software entirely and goes straight for your judgment, your trust, usually when you’re rushed, flattered, or scared. It doesn’t pick the lock. It knocks on the door and waits for you to open it, smiling.

Why AI Changed the Game

For years, we had tells. The clumsy grammar. The weird phrasing. The “Dear Valued Artist.” You could feel a scam the way you can feel a bad print — something’s just off. That instinct kept a lot of people safe.

AI took the tells away.

The bad guys now have the same AI writing tools you do. The grammar is clean. The tone is right. The fake gallery email reads like it was written by someone who actually runs a gallery, because a machine polished every word.

The Federal Trade Commission has said this out loud:

“Fraudsters are using AI tools to impersonate individuals with eerie precision and at a much wider scale. With voice cloning and other AI-driven scams on the rise, protecting Americans from impersonator fraud is more critical than ever” (FTC).

And the trend line is going the wrong way. In the FTC’s most recent fraud data, impersonation scams — someone pretending to be a business, an agency, or a person you trust — were the single most-reported kind of fraud, with about $2.95 billion lost in a single year. Total reported fraud losses jumped 25% to $12.5 billion (FTC, 2024 Fraud Data Book).

Voice cloning is the part that should stop you cold. A few seconds of someone talking — a podcast clip, a reel, a voicemail greeting — is enough to fake their voice. Now the phone call from a “client” or a “collaborator” sounds like a real person. And it goes further than audio.

In early 2024, a finance worker at the engineering firm Arup was talked into making 15 wire transfers totaling about $25 million after a video call where every other “person” on the screen — including the company’s CFO — was an AI-generated fake. A whole meeting, fabricated. The only real human in the room was the victim.

And this isn’t rare or far away. In its 2025 report, the FBI’s complaint center logged over a million reports of internet crime — a record — with losses near $21 billion, up from $16.6 billion the year before. The single most-reported crime, by volume, was phishing and spoofing: the bread and butter of social engineering.

For the first time in the report’s history, the FBI added a whole section on AI-enabled fraud — 22,364 complaints and nearly $893 million lost in a single year to scammers using AI to clone voices, fake IDs, and produce believable videos of public figures and loved ones (FBI, 2025 Internet Crime Report).

You are not a $25 million engineering firm. But you are easier to research and easier to rush, and the same tools that faked that boardroom can fake a gallery owner, a wedding client, a record label, or a fellow artist who wants to “collab.”

The Traps Built for Artists

Generic security advice misses how you actually get hit, because the bait is shaped like your dream, not your fear.

The flattering inquiry is the big one. A gallery, a buyer, a brand, a booking — someone who “found your work” and wants to pay you for it. The flattery is the weapon. It’s tuned to the exact thing you’ve been hoping to hear, and hope makes terrible security. The ask that follows looks reasonable: open this contract, log into this portal, send your files and payout details here.

Watch for the cousins of that same con:

• The overpayment, where a “client” sends too much and asks you to refund the difference — and their original payment later bounces, leaving you out the refund.

• The deposit-flip, where you’re pushed to move fast on a booking before you can check whether the venue or the buyer is even real.

• The fake licensing or takedown notice, where someone claims you stole an image or infringed a copyright, and the panic is the point — it shoves you toward a malicious link before you think.

Every one of these works the same way underneath. Pull on a feeling — hope, urgency, fear — so you act before you verify.

What You Can Do Today

I’m not going to hand you a checklist and tell you to live by it. I’ll tell you the habits I keep, and you can decide what fits for you.

The one that’s saved me more than any tool: I verify on a second channel.

• If an email asks for money, files, or a login, I don’t reply to the email.

• I find the gallery or the client through a number or address I looked up myself — not the one in the message — and I ask, “Did you just send me this?”

• It costs two minutes. It has never once cost me a sale that was real, because real clients are fine with you being careful.

This is the same move the FBI pushed in a 2025 warning about AI voice and message scams: don’t trust that a familiar voice or a polished message is genuine — verify the person through a separate, known channel before you act.

A few more I lean on:

• I slow down on anything that’s rushing me, because urgency is the tell that replaced bad grammar.

• I never log in through a link someone sent — I go to the site myself and log in the way I always do.

• I treat my own voice and face as material the bad guys can copy, the way you’d treat a high-res file you don’t want stolen, because that’s now exactly what they are.

What You Can Do for the Long Haul

The short-term habits buy you time. The long game is making yourself a harder target and a softer landing if you ever do slip.

Turn on two-factor authentication everywhere using my authenticator app (not text message codes) that holds your money or your work — email, bank, the platforms you sell on. It won’t stop the con, but it can stop a stolen password from becoming a stolen account. Use a password manager so one tricked login doesn’t unlock the rest of your life. Keep the part of your business that handles money a little separate from the part that handles everyday email, so one bad click can’t reach everything at once.

And the human one, which matters most: decide now, while you’re calm, what your rules are. What you will and won’t do over email. How you confirm a new client. Where the line is. Because you can’t think clearly in the moment the flattering email lands — that’s the whole point of it: emotional reaction (hacking human behavior). The decision has to be made before the bad guys come knocking.

Where I Landed

The uncomfortable truth is that the better the bad guys get with AI, the less your safety depends on technology and the more it depends on a habit and behavior. The machines on both sides are close to a draw. What tips it is whether you pause, on a slow Tuesday with your guard down, and check.

According to Vectra.ai:

The median time from a phishing email arriving to a user clicking a malicious link is just 21 seconds, leaving almost no time for verification.

You don’t have to become paranoid. You have to become slow at exactly the right moments — the moment money moves, the moment a login is asked for, the moment a stranger tells you exactly what you’ve been dreaming of hearing.

That pause is the one wall they can’t talk their way past. It’s also free.

What’s the most convincing scam attempt that ever landed in your inbox — the one you almost fell for? What made you stop? You can read about my personal malware encounter here. I want to collect the tells that still work, because the old ones (bad grammar, weird links) are dying fast.